Vulnerability Note VU#654390

ISC DHCP contains C Includes that define vsnprintf() to vsprintf() creating potential buffer overflow conditions

Original Release date: 22 Jun 2004 | Last revised: 21 Jul 2004

Overview

The Internet Systems Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) 3 application contains a vulnerability that introduces several potential buffer overflow conditions. Exploitation of this vulnerability can cause a denial-of-service condition to the DHCP Daemon (DHCPD) and may permit a remote attacker to execute arbitrary code on the system with the privileges of the DHCPD process.

Description

ISC DHCP makes use of the vsnprintf() for writing various log file strings. For systems that do not support vsnprintf(), a C include file was created that defines the vsnprintf() function to vsprintf() as such:

    #define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)


vsprintf() is a function that does not check bounds, therefore the size is discarded creating the potential for a buffer overflow when client provided data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. This means that VU#317350 would be triggered prior to these potential buffer overflows, unless a client could specify content to a vsnprintf() statement not associated with logging. It is believed that there aren't any other vsnprintf() statements vulnerable to this type of exploitation. Note that this vulnerability was discovered and exploitable after VU#317350 was resolved.

Only ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 are believed to be vulnerable for the following operating systems:
  • AIX
  • AlphaOS
  • Cygwin32
  • HP-UX
  • Irix
  • Linux
  • NextStep
  • SCO
  • SunOS 4
  • SunOS 5.5
  • Ultrix

As with VU#317350, all versions of ISC DCHP 3, including all snapshots, betas, and release candidates, contain the flawed code. However, it is not believed that these versions are exploitable because they discard all but the last hostname option provided by the client.

Impact

A remote attacker with the ability to send a crafted packet to the DHCPD listening port (typically port 67/UDP), may be able to crash the ISC DHCP daemon, causing a denial of service. It may be possible to execute arbitrary code on the vulnerable server with the privileges of the DHCPD process (typically root).

Solution

ISC has released DHCP 3.0.1rc14 which resolves this issue. For systems that do not support vsnprintf(), DHCP now implements it's own bounded function. DHCP will not compile and link if it does not believe that it is linking to a bounds checking function. Versions prior to ISC DHCP 3 are no longer supported. All users of ISC DHCP are encouraged to update to the latest version.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Fedora ProjectAffected12 Jun 200422 Jun 2004
InfoBloxAffected12 Jun 200413 Jul 2004
MandrakeSoftAffected12 Jun 200423 Jun 2004
SuSE Inc.Affected12 Jun 200423 Jun 2004
Apple Computer Inc.Not Affected12 Jun 200422 Jun 2004
Aruba NetworksNot Affected12 Jun 200423 Jun 2004
Check PointNot Affected12 Jun 200422 Jun 2004
Cisco Systems Inc.Not Affected12 Jun 200424 Jun 2004
Extreme NetworksNot Affected12 Jun 200422 Jun 2004
HitachiNot Affected12 Jun 200422 Jun 2004
IBMNot Affected12 Jun 200423 Jun 2004
Juniper NetworksNot Affected-22 Jun 2004
Microsoft CorporationNot Affected12 Jun 200423 Jun 2004
NetBSDNot Affected12 Jun 200422 Jun 2004
NominumNot Affected12 Jun 200424 Jun 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

  • None

Credit

Thanks to Gregory Duchemin and Solar Designer for discovering, reporting and resolving this vulnerability. Thanks also to David Hankins of ISC for notifying us of this vulnerability and the technical information provided to create this document.

This document was created by Jason A Rafail and based on the technical information provided by David Hankins of ISC.

Other Information

  • CVE IDs: CAN-2004-0461
  • Date Public: 22 Jun 2004
  • Date First Published: 22 Jun 2004
  • Date Last Updated: 21 Jul 2004
  • Severity Metric: 14.21
  • Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.